Re: [squid-users] sslBump: unrecognized: 'ssl_bump', unrecognized: 'https_port'

From: Guillaume CHAUVEL <guillaume.chauvel_at_gmail.com>
Date: Thu, 9 Sep 2010 13:05:17 +0200

> Hi,
>
> I want to enable SSL bumping with Squid.
> This function is disabled in Debian version of Squid (Lenny,
> Lenny-backports and Squeeze), so I decided to compile Squid from source.
>
> Squid version: 3.1.8
>
> ./configure --prefix=/usr/local/squid \
>    --enable-inline \
>    --enable-async-io=8 \
>    --enable-storeio="ufs,aufs,diskd" \
>    --enable-removal-policies="lru,heap" \
>    --enable-delay-pools \
>    --enable-cache-digests \
>    --enable-icap-client \
>    --enable-follow-x-forwarded-for \
>    --enable-auth="basic,digest,ntlm,negotiate" \
>
.......
>
> /usr/local/squid/sbin/squid output:
> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
> squid.conf:1155 unrecognized: 'https_port'
> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
> squid.conf:1156 unrecognized: 'ssl_bump'
> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
> squid.conf:1537 unrecognized: 'ssl_bump'
> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
> squid.conf:5625 unrecognized: 'sslproxy_cert_error'
> 2010/09/09 11:23:43| cache_cf.cc(363) parseOneConfigFile:
> squid.conf:5626 unrecognized: 'sslproxy_flags'
>
> What am I doing wrong?

./configure --help | grep ssl
  --enable-ssl Enable ssl gatewaying support using OpenSSL
  --with-openssl{=PATH} Compile with the OpenSSL libraries. The path to the

It looks like '--with-ssl' doesn't work, you should use '--enable-ssl'

also since 3.1.7 "sslBump" is deprecated, you should move to
"ssl-bump" : http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_7.html
have a look at ./src/squid.conf.documented line 1045

>http_port 8080
>https_port 8443 sslBump cert=/etc/ssl/certs/certificate.pem

I am quite new to squid but I don't think this is going to do what you
want judging by your config file without any "cache_peer"
https_port as stated in the documentation is really only useful when
running squid as an accelerator. you should use
"http_port 8080 ssl-bump cert=/etc/ssl/certs/certificate.pem" instead
and remove https_port

Guillaume.
Received on Thu Sep 09 2010 - 11:05:24 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 09 2010 - 12:00:02 MDT